RU2736166C1 - Method of identifying an online user and device thereof in an application - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: invention relates to information technology and can be used to provide secure access to information resources and payment systems. Method comprises stages, at which an online user installs an Application on their user device and launches it, wherein the Identification Service client module is included in the installed Application, through which is read from the user device its own hardware device identifier (NUDID) and a unique hardware user identifier (UHSI), associated in the device to the NUDID, generating a unique transaction identifier (UTID) for unambiguous designation of each specific operation, obtaining a UHSI, NUDID and UTID identifier binding from the client module, determining, based on the received UHSI or NUDID, the mobile subscriber number of the digital network (MSISDN) and comparing the UHSI and NUDID link obtained from the client module with the updated UHSI identifier and NUDID binder obtained after determining the MSISDN number. Further, the Identification Service server module generates a unique user identifier (UID), a unique user device identifier (SUDID), a unique composite user identification key and its device (UCIK), a UCIK (UIKF) print, and transmitting the composite UCIK key and its UIKF print to the client module in the Application.

EFFECT: high reliability of identification.

4 cl, 1 dwg, 4 ex

Description

The present invention relates to the field of information technology, namely, to a method of identifying an online user and his device using unique hardware and subscriber identifiers, such as MSISDN, when the online user's device is located in any data network in an Application that has access to reading hardware identifiers of the device and user.

Terms used in the text of the description of the invention.

Application (APP) - Software for UD, acceptablely implemented to participate in the described method (including, but not limited to, a mobile application executed, in particular, but not only, using the technology of native code, SDK code with development in the IDE , as well as PWA and / or similar WEB-technology, in particular, but not necessarily, using WebView components). An application can also be a built-in function or component of the operating system of the device.

IS (Identification Service) - An Identification Service that provides accurate customer identification. All server and client software and hardware components of IS, if necessary, but not necessarily, can be partially or fully represented by software and hardware solutions of counterparties. In particular, the functions of determining MSISDN, sending hidden and normal SMS can (but not necessarily) be performed by components created and / or hosted in the OSS infrastructure or other software and hardware infrastructures of third parties. All server components of IS can be partially and / or completely located in the infrastructure perimeter of contractors on any type of server placement (including, but not limited to, on a single physical, virtual, connected physical or virtual servers, or cloud solutions). All IS client software can be updated from the IS server. The interaction of the server and client parts, as well as their data exchange with third parties, takes place over a secure protocol (except for cases requiring an insecure protocol). The condition of acceptability for the server and client code is the possibility of technical reproduction of all steps described in the Method, provided that the safety rules for UD operation are observed. IS includes:

Client Module (CM) - program code on the user side, separately pre-embedded (or downloaded from the IS server) into the Application, does not affect the main functionality of the Application, but adds functionality for user identification. CM can be updated “on the fly” while the Application is running.

server module (Server Module - SM) - program code on the server side for performing data processing functions and the necessary data exchange between all components of the infrastructure for implementing the method.

Cellular communication (mobile communication network) is one of the types of continuous when a mobile radio subscriber moves in the same frequency range, which is based on a cellular network, the total coverage area of which is divided into cells (cells), which are determined by partially overlapping coverage areas of individual base stations (BS).

OCC (Operator of Cellular Communications) is a company that provides cellular services for the cellular devices of its subscribers. OSS can be infrastructurally represented as technically and legally separate providers of different functions included in cellular communication. Some providers can simultaneously perform the same functions (including, but not limited to, storing the MSISDN registry, MSISDN bundles, IMEI and IMSI, sending hidden and regular SMS, determining the location of subscriber equipment), being considered an integral part of the OSS.

Hidden SMS - this message is not displayed in the interface of the mobile device and the user does not see it.

MSISDN (Mobile Subscriber Integrated Services Digital Number) - the number of a mobile subscriber of a digital network with integrated services for communication in GSM, UMTS, etc.

SIM-card (Subscriber Identification Module) is an electronic subscriber identification module used in mobile communications. It can be made as a separate component inserted into a communication device, or it can be installed in the device as standard due to its hardware and software.

ICCID (Integrated Circuit Card identifier) - unique serial number of the SIM card.

IMSI (International Mobile Subscriber Identity) is an international mobile subscriber identifier (individual subscriber number) associated with each mobile user of the GSM, UMTS or CDMA standard.

UHSI (Unique Hardware Subscriber Identifier) is a unique hardware user identifier, including, but not limited to, a cellular subscriber. UHSI can be, in particular, but not limited to, IMSI or ICCID, as well as certificates in applications, operating system, or identification keys on external hardware.

UD (User's Device) - any arbitrary software and hardware environment of the user (including, but not limited to, a remote virtual OS) that ensures the correct operation of the necessary part of the technical solution on the user's side.

Storage - any container that is technically acceptable for the operation of the described scheme for writing / storing / reading / editing / deleting information in UD. Including, but not limited to, browser cookie or storage, internal application cache.

IMEI (International Mobile Equipment Identity) is an international mobile equipment identifier, usually unique, used to identify GSM, WCDMA and IDEN devices, as well as some satellite devices.

NUDID (Native Unique Device Identifier) is the device's own hardware identifier provided by the device manufacturer and stored on it using the device's standard hardware and software (for example, IMEI).

SUDID (Service Unique Device Identifier) is a unique device identifier in SM, associated on the IS server side with the user's own hardware device identifier (NUDID) and (if necessary) with other required user data, including identifiers in other data sources and user accounting systems.

UCPUID (Unique Cross-platform User ID) - a unique cross-platform identifier (in particular, but not limited to, MSISDN, SNILS, TIN, social security number, account on the Social Network, etc.), the storage of bundles (one or more) of which with other data is distributed among the participating platforms, and the primary source (release center) of which may be one or more of the participating platforms.

UID (Unique User Identifier) is a unique PS user identifier associated on the PS server side with one or more UCPUIDs and other necessary user data, including identifiers in other data sources and user accounting systems.

UCIK (Unique Composite Identification Key) is a unique composite key for identifying the user and the device, including the SUDID and UID, which serves to unambiguously identify the user and his device by the Online Service. UCIK can be one-time - working during one session and without writing / updating to the UD storage, as well as reusable (normal type) - with writing / updating to the UD storage.

UIKF (User's Identification Key Fingerprint) is a UCIK fingerprint generated in IS and allowing a user to be uniquely distinguished on the side of the Online Service, but not identified in IS. UIKF can be one-time - working during one session and without writing / updating to the UD storage, as well as reusable (normal type) - with writing / updating to the UD storage.

UTID (Unique Transaction Identifier) is a generated (server or client side) unique identifier of a transaction to unambiguously designate each specific operation of interaction between elements of any Information System. In the described Method, this is a unique identifier of the procedure for determining the user's MSISDN.

UCC (Unique Confirmation Code) is a unique confirmation code generated and sent from SM to the user's device and sent back by the user to verify that the user has performed a certain operation or data (in this case, the definition of the user's MSISDN).

Data is a multi-interpretable representation of information in a formalized form, suitable for transmission, communication or processing, which are operated by information systems and their users.

Metadata is information about other information, or data related to additional information about a content or object. Metadata discloses information about the characteristics and properties that characterize any entities, allowing you to automatically search and manage them in large information flows.

Network (Computer network, Computer network) - a system that provides data exchange between computing devices (computers, servers, routers and other equipment). Various media can be used to transfer information. Examples of the Network - Internet, Intranet.

User - a person or organization that uses the Web to perform a specific function.

Session - a session of interaction between CM and SM within the opening and closing of the application (including the browser).

Data transfer protocol (hereinafter referred to as the protocol) is a set of logical-level interface agreements that define the exchange of data between various programs. These conventions define a uniform way of transmitting messages and handling errors when software interacts with spaced hardware connected by one or another interface.

Secure protocol is a protocol that ensures that the transmitted data cannot be falsified by third parties.

There are a large number of Online Services on the Networks that provide various services to online users. In order to use these services, the online user in most cases must go through the identification and authentication procedure in these Online services, providing his personal or payment details and confirming them. This is due to the conditions for secure access to special information or the implementation of financial or other important transactions. Such a procedure creates inconvenience for the online user, who each time must manually enter their payment or personal identification data, or enter a password, PIN or the like when re-accessing the Online Service. Owners of user devices have access to information resources by means of their devices, and the security of information stored on devices, or access to which is obtained with their help, is an important issue. For the convenience of online users when solving various tasks and performing various operations on their user device, specialized applications are provided. When using such applications, it is important to securely store information about the user and his device when accessing it.

Known System for conducting monetary transactions, according to patent RU2620715 with a priority of 05/31/2012. The system may include a mobile device that launches an application to work in the system for conducting monetary transactions, as well as a subscriber who has a profile in the system. The subscriber specifies the transaction to be performed in the money transaction system. The system processor executes subscriber-specified transactions, including communication with a monetary transaction database, to determine whether or not a transaction is valid based on the subscriber's profile data. When conducting a transaction, the system also includes at least one entity participating in the specified transaction and having a profile in the system. This entity can be a human, retail store, agent, or other entity. The disadvantage of this system is that, to identify the user, it additionally performs checks according to the client identification program in accordance with the Bank Secrecy Act and the US PATRIOT Act. for security purposes, it involves an additional comparison of customer identification data with government identification data. This security system assumes its use by a limited number of persons, data on which is in the Bank Secrecy Act and US PATRIOT Act. In addition, the system assumes the initial setting of those payments that the user wants to make, that is, it is assumed that there is a mandatory presence of a personal account, where the user marks in a list those transactions that he wants to carry out - this leads to the requirement for a separate application to use the method and the impossibility without preliminary actions to choose a payment method and make it.

The closest analogue of the claimed invention is the well-known Method for identifying a mobile user by third parties based on a subscriber identification module (SIM) card and device-related parameters available in telecommunication networks, according to GB2573262 patent with priority from 03/08/2018. The method consists of the following stages: - The mobile user tries to interact with the Application or access the website, the developer of the Application / website sends the request for the mobile identifier to the external IPification server; The IPification server transmits up to six mobile ID requests as API calls to the mobile operator's server, with each mobile ID request based on one of the following input parameters associated with the SIM card / device: IMSI, ICCID, IMEI, MSISDN, private IP and public IP; - The server of the mobile operator transmits the mobile identifiers back to the IPification server; wherein each of the mobile identifiers is generated in response to one of the mobile ID requests sent to the server of the mobile operator as input parameters, and each mobile identifier is a unique alphanumeric identifier of a user subscribing to mobile services provided by the operator mobile communications; - The IPification server checks whether all mobile device identifiers received from the mobile operator's server are identical and, depending on the verification result, responds in two alternative ways: If the verification result is positive, the IPification server provides a single mobile user identifier to the developer of the Application / website, which by thereby authenticating the mobile user and allowing him to interact with the Application or access the website; - If the verification result is negative, the IPification server provides the Application / website developer with information about the failed user authentication, and as a result, the user is not allowed to interact with the Application or access the website. The disadvantage of this method is its use only for the mobile Internet, which significantly narrows the user's capabilities in real circumstances, for example, when access to the Network is possible only through a wireless computer WiFi network.

The proposed invention solves the technical problem of eliminating these drawbacks, namely, it provides reliable identification of the online user and his device in any data network when the Application is loaded on the user device and has access to read the hardware identifiers of the device and the online user after his initial identification in the Application. ...

The technical result of the invention is to improve the reliability of identification of an online user and his device using the Identification Service, which includes client and server modules, and the client module is included in the Application downloaded to the online user device, which has access to unique hardware and subscriber identifiers of the online user, such as a mobile subscriber number of an integrated services digital network for communication in GSM, UMTS, etc. standards (MSISDN) or a unique composite user and device identification key (UCIK), which is associated with MSISDN. As a result, secure access to information resources and payment systems is provided by identifying and confirming unique hardware and subscriber identifiers from the Application.

The technical result is realized through the following stages of the implementation of the method for identifying an online user and his device in the Application. An online user installs the Application on his user device and launches it. The difference between the Method described in this invention lies in the fact that the client module of the Identification Service is included in the installed Application, with the help of which its own hardware device identifier (Native Unique Device Identifier - NUDID) and the unique hardware identifier of the user (Unique Hardware Subscriber Identifier) are read from the user device. - UHSI), tied in this device to the NUDID. A unique transaction identifier (UTID) is generated to uniquely identify each specific transaction. A bunch of UHSI, NUDID and UTID is received from the client module, the mobile subscriber integrated services digital number (MSISDN) is determined from the received UHSI or NUDID, and the UHSI and NUDID bunch received from the client module is compared with the updated UHSI and NUDID. obtained after determining the number of the mobile subscriber of the digital network (Mobile Subscriber Integrated Services Digital Number - MSISDN). Then the server module of the Identification Service generates a Unique User Identifier (UID), a Service Unique Device Identifier (SUDID), a Unique Composite Identification Key (UCIK), a UCIK fingerprint ( User's Identification Key Fingerprint - UIKF) and pass the UCIK composite key and its UIKF fingerprint to the client module in the Application. If the updated UHSI and NUDID link does not match the link received from the client module, or there is a suspicion of incorrect determination, a message is sent to the received MSISDN number to the user device, for example, a hidden SMS message containing a Unique Confirmation Code (UCC). Then, the UCC code is read from the message, the code received from the client module is compared, and the code sent by it to the MSISDN number is checked whether the sent transaction identifier UTID matches the previously sent one. If the codes of the online user and his device match, it is considered confirmed. If the online user and his device were previously identified, but the Application currently does not have access to read the hardware identifiers of the device and the online user, then using the client module, a unique composite key for identifying the user and his UCIK device is read from the user device and are sent to the Identity Service to determine the first bundle of the device hardware identifier (NUDID) and the number of the mobile subscriber of the digital network (MSISDN) registered with the last determination of the user's MSISDN by the UCIK key. Next, the current MSISDN is determined by the device NUDID and their next second bunch is obtained. The third linking of the NUDID and MSISDN on the user device is updated and compared with the previously obtained links of the NUDID and MSISDN; if the online user and his device match, they are considered confirmed. If only the second bundle matches the current MSISDN and the third bundle updated on the user device, the server module of the Identity Service generates a unique user identifier (UID), a unique identifier of a user device (SUDID), a unique composite key for identifying a user and his device (UCIK), a UCIK fingerprint (UIKF), and pass the UCIK composite key and its UIKF fingerprint to the client module in the Application. In the case of an unidentified online user and his device earlier in the Application and the Application does not have access to reading the hardware identifiers of the device and the online user, identification is provided by his MSISDN number in manual mode for the duration of the session without recording his one-time UIKF key in the storage of the Identification Service.

It should be clarified that all server and client software and hardware components of the Identification Service can be partially or fully represented by software and hardware solutions of counterparties. At the same time, all server components of the Identity Service can be partially and / or completely located in the infrastructural perimeter of counterparties on any type of server location, and the client components can be updated from the server side. The interaction of the server and client parts, as well as their data exchange with third parties, takes place over a secure protocol.

Thus, the identification of the online user and his device connected to any data transmission network, carried out by the client module of the Identity Service built into the installed Application on the user device with the primary identification of the online user, which has access to read the hardware identifiers of the user's device and of the online user itself, allowing you to record the resulting bundle of hardware identifiers in the Identity Service storage, generate a unique transaction identifier to unambiguously designate a specific operation, compare the bundle of hardware identifiers from the client module with the updated bundle of hardware identifiers obtained after determining the mobile subscriber number of the digital network, generate a server by the Identification Service module unique identifiers of the user and his device, their unique composite identification key and the fingerprint of this key for transmission to the client module in the Application, and as a result, with high accuracy, identify the online user and his device on the Web. Also, if the updated bundle of hardware identifiers does not match the bundle received from the client module, a message is sent to the given mobile subscriber number of the digital network to the user device containing a unique confirmation code, which is read and sent to the server module of the identification service, the confirmation code received from the client module is compared with code sent to the MSISDN number, and the correspondence of the sent transaction ID to the previously sent one is checked, as a result, if the codes match, the online user and his device identification is considered confirmed. Provided that the Application currently does not have access to reading the hardware identifiers of the device and the online user, then using the client module, a unique composite key for identifying the user and his device is read from the user device and sent to the Identification Service to determine the first bundle of hardware the device identifier and the number of the mobile subscriber of the digital network MSISDN registered when it was last identified by the user, then the current MSISDN number is determined by the device identifier and their next second bundle is obtained, the third bundle of the device identifier and the MSISDN number on the user device is updated and compared with the previously received bundles device identifier and MSISDN, if the bundles match, the online user and his device are considered verified. Also, if only the second bundle by the current MSISDN number matches and the third bundle updated on the user device, the server module of the Identification Service generates a unique user identifier (UID), a unique identifier of a user device (SUDID), a unique composite key for identifying a user and his device (UCIK) , UCIK fingerprint (UIKF), and transmit the UCIK composite key and its UIKF fingerprint to the client module in the Application, thereby confirming the online user and his device. In addition, an online user who was not previously identified in the Application, if the Application does not have access to reading the hardware identifiers of the device and the online user, is given the opportunity to obtain identification by his number of the mobile subscriber of the digital network in manual mode during the session without recording his one-time unique a composite identification key in the storage of the Identity Service, which allows you to provide secure access to an information resource. Consequently, the entire set of the specified stages of the method implements the specified technical result, which consists in increasing the reliability of identification of the online user and his device in the Application and ensuring the security of access to information resources of the Network.

The invention is carried out as follows:

The user installs on his device an Application with a built-in or downloaded from the server Client Module (Client Module, or CM) of the Identification Service (IS) and starts it.

CM checks for NUDID and UHSI read access.

CM has NUDID and UHSI read access.

The CM reads from the device its NUDID (Native Unique Device Identifier) and UHSI (Unique Hardware Subscriber Identifier) associated in this device with this NUDID.

The CM sends an IS request to the Server Module (SM) IS, containing the UHSI, NUDID and UTID (Unique Transaction Identifier - a unique transaction identifier generated in CM or SM).

SM receives NUDID, UHSI and UTID and determines the MSISDN (Mobile Subscriber Integrated Services Digital Number) by the received UHSI or NUDID, updates and stores the UHSI and NUDID bundle, compares the updated UHSI and NUDID bundle with the bundle received from CM.

If the updated UHSI and NUDID link matches the link sent by CM, then:

SM generates UID, SUDID, UCIK and UIKF as needed, updates UHSI and MSISDN as needed, sends UCIK, UIKF and, if necessary, MSISDN in response to CM.

CM writes / updates UCIK, UIKF and MSISDN as needed in storage.

The app gets UIKF or UIKF and MSISDN as needed from CM.

If the updated link between UHSI and NUDID does not correspond to the link sent by CM (either only UHSI or NUDID was sent, or there is a suspicion of incorrect determination by indirect indications), then:

SM sends a message on the given MSISDN to UD (User's Device - any arbitrary software and hardware environment of the user), for example, a hidden SMS message, with UCC (Unique Confirmation Code).

CM reads UCC from message.

CM sends a request containing the received UCC and UTID to SM.

SM compares the code received from CM and the code sent by it to the MSISDN, and also verifies that the UTID sent matches the identifier sent earlier from CM to SM. If the codes match, the number is considered confirmed and you go to the steps when the updated UHSI and NUDID link matches the link sent by CM (see paragraph 2.a.iii.1 above).

CM does not have NUDID and UHSI read access.

CM gains access to read NUDID and UHSI in manual or automatic mode. Go to steps when there is access (see paragraph 2.a above).

CM does not get NUDID and UHSI read access. CM checks for the presence of UCIK (Unique Composite Identification Key - a unique composite key for identifying a user and a device) in the UD (User's Device - any arbitrary software and hardware environment of the user) storage.

UCIK is in the UD repository.

A request is made from CM to SM with UCIK transmission.

SM by UCIK determines the NUDID and MSISDN (first bind) that were registered when the user's MSISDN was last determined.

SM by NUDID determines the current MSISDN (second bunch).

To update the NUDID and MSISDN link, SM sends a command / message (for example, but not limited to a hidden SMS) to the current MSISDN.

in case of message delivery, SM receives the current pair of NUDID and MSISDN (third link), after which it proceeds to further steps (see paragraph 2.b.ii.1.e below).

in case of non-delivery of the command / message, the transition to the steps occurs when there is no UCIK in the storage (see paragraph 2.b.ii.2 below).

SM compares the old and new NUDID and MSISDN values for three links, after which three scenarios are possible:

if all three bundles NUDID and MSISDN match, then

SM returns the status of successful identification in CM.

Application gets UIKF or UIKF and MSISDN (as needed) from CM.

if the second and third bundles coincide, then

SM generates new SUDID, UID, UCIK and UIKF as needed, updates the UHSI and MSISDN link if necessary, returns to CM a new UCIK, UIKF, MSISDN (if necessary) and the status of successful identification.

CM writes / updates UCIK and UIKF to storage.

Application gets UIKF or UIKF and MSISDN (as needed) from CM.

In all other cases of comparing bundles, the transition to steps occurs when there is no UCIK in the repository (see paragraph 2.b.ii.2 below)

There is no UCIK in the UD store.

CM shows a form for user input MSISDN, user enters and submits through the form to SM his MSISDN, as a result of which the form changes and shows a field for input UCC (Unique Confirmation Code - unique confirmation code).

SM generates and sends to UD a confirmation code (UCC), including but not limited to SMS, notifications to the App or messages to the messenger.

The user enters in a UCC form, which CM sends to SM.

SM checks the validity of the UCC, and if it is valid, sends a response to the CM with the status of the validity of the code, generates, if necessary, UID, SUDID, one-time UCIK and one-time UIKF and sends to CM only one-time UIKF and MSISDN (if necessary) of the user with an instruction for CM not to write UIKF in storage. The user receives identification by his MSISDN for the duration of the session.

The app gets UIKF or UIKF and MSISDN as needed from CM.

A diagram of a method for identifying an online user and his device in an application is shown in Fig. 1.

Example 1.

A method for identifying an online user and his device if the Client Module (CM) of the Identification Service (IS) has access to read NUDID (Native Unique Device Identifier) and UHSI (Unique Hardware Subscriber Identifier) unique hardware user identifier), as well as if the current UHSI and NUDID bundle matches and the bundle sent by the Client Module, it is carried out in the following sequence according to the diagram in Fig. 1:

a. Request from CM to SM with transmission of UHSI, NUDID and UTID (Unique Transaction Identifier - unique transaction identifier generated in CM or SM).

b. SM determines the MSISDN (Mobile Subscriber Integrated Services Digital Number) from the received UHSI. SM generates UID, SUDID, UCIK and UIKF as needed, updates UHSI and MSISDN as needed, sends UCIK, UIKF and, if necessary, MSISDN in response to CM.

c. CM writes / updates the UCIK, UIKF and MSISDN as needed in the store and passes the UIKF or UIKF and MSISDN as needed to the Application.

Thus, the identification of the online user and his device when the user requests from the application via any communication channel was made with absolute accuracy, thanks to the comparison and confirmation of the unique identifier of the user and his device by the hardware identifiers of the device and the user using the server and client modules, which provides secure access to information resources.

Example 2.

The method of identifying an online user and his device if the Client Module has access to reading NUDID and / or UHSI, as well as if the current NUDID and UHSI link does not match and the link sent by the Client Module with automatic verification of the user's MSISDN - is carried out in the following sequence according to the scheme in Fig. 1:

a. Request from CM to SM with transmission of UHSI, NUDID and UTID (Unique Transaction Identifier - unique transaction identifier generated in CM or SM).

b. SM determines the MSISDN by the received UHSI or NUDID. SM sends a message on the given MSISDN to UD (User's Device - any arbitrary software and hardware environment of the user), for example, a hidden SMS message with UCC (Unique Confirmation Code - unique confirmation code).

c. CM reads UCC from message. CM sends a request containing UTID and received UCC to SM.

d. SM compares the code received from CM and the code sent by it to the MSISDN, and also verifies that the UTID sent matches the identifier sent earlier from CM to SM. If the codes match (otherwise, see Example 4), the number is considered confirmed and SM generates UID, SUDID, UCIK and UIKF as needed, updates UHSI / MSISDN and NUDID / MSISDN bindings as needed, gives UCIK, UIKF and, if necessary, MSISDN to See the answer in CM.

e. CM writes / updates the UCIK, UIKF and MSISDN as needed in the store and passes the UIKF or UIKF and MSISDN as needed to the Application.

Thus, the identification of the online user and his device when the user requests from the application via any communication channel was made with absolute accuracy, thanks to the comparison and confirmation of the unique identifier of the user and his device by means of a command / message for comparing the hardware identifiers of the user and the device using the server and client modules, which provides secure access to information resources.

Example 3.

A method for identifying an online user and his device if the Client module does not have access to reading NUDID and UHSI and the presence of a UCIK (Unique Composite Identification Key - a unique composite key for identifying a user and a device) in the UD storage (User's Device - any arbitrary software and hardware environment of the user ), with automatic verification of the user's MSISDN - carried out in the following sequence according to the diagram in Fig. 1:

Request from CM to SM with UCIK transmission.

SM by UCIK determines the NUDID and MSISDN (first bind) that were registered when the user's MSISDN was last determined. SM by NUDID determines the current MSISDN (second bunch). To update the NUDID and MSISDN link, SM sends a command / message (for example, but not limited to a hidden SMS) to the current MSISDN.

The device notifies SM that the message has been delivered (otherwise see Example 4).

SM receives the current pair of NUDID and MSISDN (third link), compares the old and new values of NUDID and MSISDN for three links, after which two scenarios are possible:

if all three bundles NUDID and MSISDN match, then

SM returns the status of successful identification in CM.

The app gets UIKF or UIKF and MSISDN as needed from CM.

if the second and third bundles coincide, then

SM generates new SUDID, UID, UCIK and UIKF as needed, updates the UHSI and MSISDN bunch if necessary, returns to CM a new UCIK, UIKF, MSISDN if necessary and the status of successful identification.

CM writes / updates UCIK and UIKF to storage and uploads to application UIKF or UIKF and MSISDN as needed.

Thus, the identification of the online user and his device when the user requests from the application via any communication channel was made with absolute accuracy, thanks to the comparison and confirmation of the unique identifier of the user and his device by means of a command / message for comparing the hardware identifiers of the user and the device using the server and client modules, which provides secure access to information resources.

Example 4.

The method of identifying an online user and his device in the absence of access to reading NUDID and UHSI for the Client Module of the Identification Service and the absence of UCIK in the UD storage - with manual verification of the user's MSISDN - is carried out in the following sequence according to the diagram in Fig. 1:

a. Request from CM to SM to get a form with an MSISDN input field.

b. Receiving on UD from SM a form with a field for entering MSISDN.

c. Submitting MSISDN via form from UD to SM. Change the form to show the UCC (Unique Confirmation Code) input field.

d. Generating a confirmation code in SM and sending it to UD, including, but not limited to, via SMS, notification in the Application, or a message to the messenger.

e. UCC transmission by user input or automatic read from CM to SM.

f. SM checks the validity of the UCC, and if it is valid, it sends a response to the CM with the status of the validity of the code, generates, if necessary, UID, SUDID, one-time UCIK and one-time UIKF and sends to CM only a one-time UIKF of the user instructing CM not to write UIKF to the storage. The user receives identification by his MSISDN for the duration of the session.

g. CM passes a one-time UIKF or one-time UIKF and, if necessary, an MSISDN to the Application.

Thus, the identification of the online user and his device when the user requests from the application via any communication channel was made with absolute accuracy, thanks to the comparison and confirmation of the unique identifier of the user and his device with manual user identification using the server and client modules, which provides secure access to information resources.

Claims (4)

1. A method for identifying an online user and his device in the Application, including installing the Application on the device of the online user and launching the installed Application, characterized in that the client module of the Identity Service is included in the Application, using the client module, his own hardware identifier is read from the user device devices (NUDID) and a unique hardware user identifier (UHSI), write a bunch of UHSI and NUDID in the Identity Service storage, generate a unique transaction identifier (UTID) to uniquely identify each specific operation, receive a bunch of UHSI, NUDID and UTID from the client module, determine by the received UHSI or NUDID the number of the mobile subscriber of the digital network (MSISDN) and compare the UHSI and NUDID bundle received from the client module with the updated UHSI and UTID bundle obtained after determining the MSISDN, generate the server mode The Identification Service lem unique user identifier (UID), unique user device identifier (SUDID), unique composite key for identifying the user and his device (UCIK), UCIK fingerprint (UIKF), transmit the UCIK composite key and its UIKF fingerprint to the client module in the Application. 2. The method according to claim 1, characterized in that when checking the correspondence of the updated bunch of UHSI identifiers and NUDID to the bunch received from the client module, a message is sent to the given MSISDN number to the user device containing a unique confirmation code (UCC), the UCC code is read from messages, compare the code received from the client module, and the code sent by it to the MSISDN number, check whether the sent transaction identifier UTID matches the previously sent identifier, the online user and his device are considered confirmed if the codes match. 3. The method according to claim 1, characterized in that with the help of the client module, a unique composite key for identifying the user and his device (UCIK) is read from the user device, sent to the Identity Service, and a bunch of hardware device identifier (NUDID) and numbers are determined using the UCIK key the mobile subscriber of the digital network (MSISDN), registered during the last determination of the user's MSISDN, determine the current MSISDN by the device NUDID and get their next link, update the NUDID and MSISDN link on the user device and compare with the previously obtained NUDID and MSISDN bindings , if only the bindings by the current MSISDN and the one updated on the user device match, the server module of the Identification Service generates a unique user identifier (UID), a unique identifier of a user device (SUDID), a unique composite identification key and the user and his device (UCIK), the UCIK fingerprint (UIKF), transmit the UCIK composite key and its UIKF fingerprint to the client module in the Application. 4. The method according to claim 1, characterized in that the online user, previously not identified in the Application, is provided to obtain identification by his MSISDN number during the session without recording his one-time UIKF key in the storage of the Identification Service.

Images